assessing the information security culture in a …€¦ · to describe a situation where not only...

http://www.iaeme.com/IJCIET/index.asp 96 [email protected]

International Journal of Civil Engineering and Technology (IJCIET)

Volume 9, Issue 8, August 2018, pp. 96–112, Article ID: IJCIET_09_08_011

Available online at http://www.iaeme.com/ijciet/issues.asp?JType=IJCIET&VType=9&IType=8

ISSN Print: 0976-6308 and ISSN Online: 0976-6316

© IAEME Publication Scopus Indexed

ASSESSING THE INFORMATION SECURITY

CULTURE IN A GOVERNMENT CONTEXT:

THE CASE OF A DEVELOPING COUNTRY

Mohamad Noorman Masrek

Faculty of Information Management

Universiti Teknologi MARA

Shah Alam Selangor, Malaysia

Qamarul Nazrin Harun




Noor Zaidi Sahid




ABSTRACT

In the Industrial Revolution 4.0 (IR 4.0), information security has been highlighted

as one of the critical component that needs to be addressed by industry practitioners.

To this effect, the deployment of information security controls, both technical and non-

technical is very essential so as to safeguard and protect organizational information

from any form of threats or danger. Information Security Culture (ISC) is a term used

to describe a situation where not only members aware and skillful in terms of

information security, but the process and procedure as well as the technologies are

also in place to protect and safeguard organizational information. This paper reports

the findings of a study aimed at assessing the ISC of the Malaysian public

organizations. The study used a survey research methodology with a questionnaire as

the data collection technique. The results of the study suggest that ISC which are

measured in terms of management support, policy and procedures, compliance,

awareness, budget and technology are not in place in these participating

organizations. The findings send a strong message that much effort is needed to

strengthen the ISC in these participating organizations.

Key words: information security; information security culture; perceived importance,

perceived implementation; survey; questionnaire.

Assessing the Information Security Culture in a Government Context: The Case of a Developing Country


Cite this Article: Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi

Sahid, Assessing the Information Security Culture in a Government Context: The Case

of a Developing Country. International Journal of Civil Engineering and Technology,

9(8), 2018, pp. 96-112.

http://www.iaeme.com/IJCIET/issues.asp?JType=IJCIET&VType=9&IType=8

1. INTRODUCTION

The rise of data and information security breaches of late is really very alarming. In 2017,

Malaysia suffered the largest data breach whereby records of mobile phone numbers, names

and SIM card data of 46 million users had been stolen from Malaysian telecoms companies

(Tan & Nair, 2017). In addition, it was also reported that about 80000 medical record were

also stolen. In a recent study done by IBM Security and Ponemon Institute involving 11

countries and two regions, namely ASEAN (Singapore, Indonesia, the Philippines and

Malaysia) and Middle East (United Arab Emirates and Saudi Arabia) discovered that all

participating organizations experienced a data breach ranging from approximately 2,600 to

slightly less than 100,000 compromised records (Ponemon Institute 2017a). The average total

cost of data breach for the 419 participating companies was $3.62 million (Ponemon Institute

2017a). In another study, Ponemon Institute (2017b) surveyed 1000 information technology

(IT) professionals at small amd middle size companies and the results showed that 54% of

these respondents said that negligent employees were the root cause of data breaches.

According to Peltier, Peltier & Blackley (2005) “employees are most familiar with the

organization‟s information assets and processing systems, including knowing what actions

might cause the most damage, mischief, or sabotage”. Given the damage caused by data and

information breach is very hazardous to the well-being of the organization, the need to

intensify information security is inevitable.

Information security can be defined as “a well-informed sense of assurance that

information risks and controls are in balance” (Anderson, 2003). According to IT Governance

Institute (2001), the objective of information security is “protecting the interests of those

relying on information, and the systems and communications that deliver the information,

from harm resulting from failures of availability, confidentiality, and integrity”.

Confidentiality means “preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and proprietary information”

(Nieles, Dempsey & Pillitteri, 2017). Integrity means guarding against improper information

modification or destruction and ensuring information non-repudiation and authenticity.

Availability means ensuring timely and reliable access to and use of information. Scholars

have argued that besides implementing technical information security controls, it is equally

important for an organization to develop an information security culture (ISC) (Eloff & Von

Solms, 2000; Von Solms, 2000). Information Security Culture (ISC) is a term used to

describe a situation where not only members aware and skilful in terms of information

security, but the process and procedure as well as the technologies are also in place to protect

and safeguard organizational information. According to Rastogi & von Solms (2012) ISC has

been found to have a profound influence on the compliance of end-users to information

security policies and controls in their organization.

Many studies suggest that implementing ISC inside organizations would help managing

and reducing security risks to information assets (AlHogail & Mirza, 2015). However, most

of these studies were done in countries other than Malaysia. Because of this, not much is

really known on the situation of ISC in the context of Malaysia, especially among government

agencies. To this effect, a study was carried out with the aims of (i) identifying the

Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid


components perceived as important for developing ISC in the context of Malaysian public

organization (ii) identifying the state of practice in relation to the components of ISC

perceived as important and (iii) identifying the gap between perceived importance and

perceived implementation in terms of the ISC components.

2. LITERATURE REVIEW AND CONCEPTUAL FRAMEWORK

ISC has its root from organizational culture. According to Brown (1998), organizational

culture refers “to the pattern of beliefs, values and learned ways of coping with experience

that have developed during the course of an organization‟s history, and which tend to be

manifested in its material arrangements and in the behaviours of its member”. Schein (1999)

asserted that beliefs and values, however, are concepts that are difficult to quantify, and it is

therefore often tempting to think of culture as just “the way we do things around here”.

Drawing upon the definitions of organizational culture, researchers defined ISC in a myriad

ways. For instance, Dhillon (2007) defined ISC as “the totality of human attributes such as

behaviors, attitudes, and values that contribute to the protection of all kinds of information in

a given organization.” On the other hand, AlHogail & Mirza (2015) defined ISC as “the

collection of perceptions, attitudes, values, assumptions and knowledge that guides how

things are done in organization in order to be consistent with the information security

requirements with the aim of protecting the information assets and influencing employees‟

security behavior in a way that preserving the information security becomes a second nature”.

However, Martins & Da Veiga (2015) opined that when developing ISC, people, process and

technology need to be combined together.

The published studies on ISC generated various models and frameworks that highlight the

importance and signifiance of ISC. In addition, a good number of studies also provided

guidelines for creating and assessing ISC (Tolah, Furnell & Papadaki, 2017). Schlienger &

Teufel (2003) for instance, identified security culture as consisting of three layers: (i)

corporate policies (policy, organisation structure, resources); (ii) management

(implementation of security policy, responsibility, qualification and training, awards and

prosecutions, audits, benchmarks); and (iii) individual (attitude, communication, compliance).

In another study, Da Veiga & Eloff (2010) showed that the following factors were integral in

developing ISC: (i) leadership and governance (sponsorship, strategy, IT governance, risk

assessment, ROI/metrics/measurement); (ii) security management and organisation (legal and

regulatory, program organisation); (iii) policy (policies, standard, procedure, guidelines, best

practice, certification); (iv) security program management (monitor, audit, compliance); (v)

user security management (awareness, training, trust, privacy, ethical conduct); (vi)

technology protection and operations (system development, technical operation, physical and

environment, asset management, incident management, business continuity); and (vii) change

management.

Figure 1 presents the conceptual framework of the study. ISC is dimensionalised as

comprising of management support, policy and procedures, compliance, awareness, budget

and technology. Management support is further divided into information security commitment

and information security importance while policy and procedure is broken down into

information security policy effectiveness and information security directives. The compliance

component has two parts which are information security monitoring perceptions and

information security consequences. The awareness component comprised of information

security responsibility and information security training. The budget components is divided

into information security budget practices and information security investments. The

technology component is segmented into information technology capabilty and information

technology compatibility. As the study is aimed at looking the aspects or components



perceived as important and also the extent to which the component being practiced, the ISC

framework is split into two parts: perceived importance and perceived implmentation.

Figure 1 Conceptual Framework

Information security commitment is defined as the degree to which top management give

full supports and show their involvement towards an organizational initiative on information

security. Information security importance refers to the degree to which top management give

preferences to information security as compared to any other activities. Information security

policy effectivess relates to the appraisal of the information security policy, whether it is

understandable, practical and successfully communicated. Information security directives is

concerned with the clear direction or instruction on the protection of information security

assets from information security incidents such as information security breaches that caused

by unauthorized parties. Information security monitoring compliance refers the perception

regarding monitoring and disciplinary action in relation to information security practices

while information security consequences is defined as the necessary action that need to be

taken in the event of non-compliance to information security policy. Information security

responsibility denotes the person or department responsible for ensuring the compliance of

information security policies. Information security training means the training provided to

employee so as to create awareness and increase their knowledge, skills, and competencies on

information security. Information security budget practice signifies the annual allocation of

budgets for information security activities and the prompt acts towards expenses pertaining to

PERCEIVED IMPLEMENTATION PERCEIVED IMPORTANCE

Management Support

• Information Security Commitment • Information Security Importance

Policy & Procedure

• Information Security Policy Effectiveness • Information Security Directives

Compliance

• Information Security Monitoring Perceptions

• Information Security Consequences

Awareness

• Information Security Responsibility • Information Security Training

Budget

• Information Security Budget Practices • Information Security Investment

Technology

• Information Technology Capability • Information Technology Compatibility

Management Support

• Information Security Commitment • Information Security Importance

Policy & Procedure

• Information Security Policy Effectiveness • Information Security Directives

Compliance

• Information Security Monitoring Perceptions

• Information Security Consequences

Awareness

• Information Security Responsibility • Information Security Training

Budget

• Information Security Budget Practices • Information Security Investment

Technology

• Information Technology Capability • Information Technology Compatibility



information security activities. Information security investment represents the capital or time

that could be tangible and intangible. Information technology capability represents the ability

to fulfill technical security requirements and assists organizations to fulfill information

security policy requirements. On the other hand, information technology compatibility relates

to the ability of the software and hardware to work together adhering common technology

standards.

3. RESEARCH METHODOLOGY

3.1. Research Paradigm and Approach

In management research, paradigm can be generally divided into positivism and

Interpretivism while approach can be divided into three which are quantitative, qualitative and

mixed method. Research that falls under positivism paradigm is aimed at producing data that

can be statistically analyzed and results that can be expressed numerically. Studies that

employ quantitative approach typically begin with data collection based on a hypothesis or

theory, and the results or the findings are usually objective and reliable since they are based

on large and representative samples (Charumbira, 2013). The present study can be categorized

under positivism paradigm while the approach is quantitative.

3.2. Research Method

As far the research method is concerned, this study used the survey method. According to

Mathiyazhagan & Nandan (2010) survey research is “a method of descriptive research used

for collecting primary data based on verbal or written communication with a representative

sample of individuals or respondents from the target population”. In a survey research design,

the purpose of the study can be divided into exploration, description and hypothesis testing

(Sekaran & Bougie, 2010). This study can be categorized as descriptive study because it was

undertaken to describe the characteristics of the variables of interests.

3.3. Population and Sampling

The population of the study was Information Technology Department of Malaysian Federal

Ministries. At the time of the data collection, the size of the population was 301. Using a

convenient sampling, a total of 295 questionnaires were distributed and 292 were returned and

found useful for further analysis. Convenient sampling is a type of non-probability sampling.

Rowley (2014) asserted that although probability sampling is believed as ideal in research, the

vast majority of studies in social science research actually draw upon non-probability

samples. Bryman & Bell (2015) also stated that in reality, non-probability sampling is more

frequently employed and more likely appropriate in fieldwork research. It is because of this

reason, this study used convenient sampling.

3.4. Data Collection

For collecting the research data, the study used a questionnaire. The items in the questionnaire

were mainly developed by the researcher. Each construct from the conceptual framework uses

four items. As there are altogether 12 construct, the total number of items was 48. For each

item, a Likert scale of five anchoring was used. As for the perceived importance, the

anchoring was between the two extremes of “1 = not important at all” and “5 = extremely

important”. For the perceived implementation, the anchoring was between the two extremes

of “1 = not practice at all” and “5 = highly practice”. The respondents were required to

respond by ticking on these Likert scales. Before the questionnaire was administered to the

targeted respondents, it was first pre-tested and also pilot-tested. Several experts who were

academicians and industry practitioners were engaged in the pre-testing exercise. Comments



and suggestions given by them were used to revise and refine the questionnaire. Thirty

respondents were also engaged in the pilot test. Their responses were used to calculate the

Cronbach‟s alpha, an indicator of a scale‟s reliability. The results showed that the Cronbach‟s

alpha scores for all constructs surpassed the recommended value of 0.7, suggesting that the

instrument used in the study was acceptably reliable.

3.5. Data Analysis

This study performed both descriptive and inferential analysis on the research data.

Descriptive analysis was performed to describe the variables. The statistics reported were

mean, standard deviation, standard error and variance. Inferential analysis was executed to

either examine the relationship between variables or to compare different groups with regard

to certain variables. In this study, a paired sample t-test was used to compare the differences

between the perceived importance and perceived implementation in terms of the constructs of

the ISC framework.

4. FINDINGS

4.1. Demographic Profiles

Out of 292 respondents who participated in this study, 167 or 57.2% were men while the rest

were women (42.8%). In terms of age, the majority of respondents was aged between 36 and

40 (47.9%) while the minority (13%) was reported to be aged between 31 and 35. For the

respondents' education level, 30 or 10.3% indicated to have Master while the remaining 262

or 89.7% have a Bachelor‟s degree.

4.2. Descriptive Analysis

Table 1 presents the descriptive statistics of the information security commitment. The overall

mean for perceived importance is 4.61 while for perceived implementation is 2.01. These

mean values suggest that all the four listed items are indeed important in measuring

information security commitment.

Table 1 Descriptive Statistics of Information Security Commitment

Items

Perceived Importance Perceived Implementation

Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

Top management that is

committed to information

security policy formulation

4.71 0.033 0.568 0.322 2.23 0.054 0.916 0.839


devoted to ensuring the

success of protecting and

safeguarding organizational

information resources

4.57 0.035 0.591 0.350 1.72 0.058 0.987 0.974


committed to maintaining

organization‟s reputation

4.70 0.033 0.561 0.314 2.34 0.054 0.926 0.858


dedicated to providing

mentoring and training

opportunities regarding

information security

4.47 0.035 0.606 0.367 1.74 0.056 0.959 0.920

Overall mean = 4.61 Overall mean = 2.01



The highest means score for the perceived importance is for item that reads “Top

management that is committed to information security policy formulation” while the lowest

mean is for item that reads “Top management that is dedicated to providing mentoring and

training opportunities regarding information security”. In terms of perceived implementation,

all mean scores are less than mid-point value implying that the practice of the listed items are

relatively low in the participating organizations.

The overall mean for four items measuring information security importance is 4.57 for the

perceived importance while 2.10 for the perceived implementation. The highest mean score is

the perceived importance is for item that reads “Top management that gives significant

priority for information security policy establishment” followed by item that reads “Top

management that communicate with the employees on the importance of information

security”. As for the perceived implementation, the mean score ranged between 1.63 and 2.38.

All of these values are less than the mid-point value of three, suggesting that the

implementations of the listed items in the participating organizations are quite low. The

lowest mean score for the perceived implementation is for item that reads “Top management

that communicate with the employees on the importance of information security”. The detail

results of the descriptive statistics of information security importance are presented in Table

2. Table 2 Descriptive Statistics of Information Security Importance

Items


Mean Std

Error Std Dev Variance Mean

Std

Error Std Dev Variance

Top management that gives

significant priority for

information security policy

establishment

4.74 0.032 0.551 0.303 2.37 0.046 0.782 0.611

Top management that gives

significant preferences on


enforcement

4.48 0.035 0.595 0.354 2.38 0.045 0.770 0.593

Top management that reacts

immediately when there is

information security breaches

4.48 0.035 0.595 0.354 2.03 0.058 0.986 0.972

Top management that

communicate with the

employees on the importance

of information security

4.59 0.036 0.606 0.367 1.63 0.055 0.933 0.870


Four items were developed for measuring the information security policy effectiveness.

Between the perceived importance and perceived implementation, the former recorded a

higher mean value than the later, which is 4.57 as opposed to 2.04 (Table 3). For the

perceived importance, all items scored mean values that are greater than four while for the

perceived implementation, all items scored a mean values less than three. For the perceived

importance, item that reads “The Information security policy that is understandable by all

employees irrespective of their ranks” recorded the highest mean value (i.e. 4.74) while the

lowest mean value (i.e. 4.48) is for item that reads “The information security policy that

regularly reviewed and updated”. The respondents of the study believed that the information

security policy of their organization was not regularly reviewed and updated. This is evident

by the lowest mean value (i.e. 1.65) for the perceived implementation.



Table 3 Descriptive Statistics of Information Security Policy Effectiveness

Items Perceived Importance Perceived Implementation

Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

The Information security

policy that is understandable

by all employees irrespective

of their ranks

4.74 0.032 0.551 0.303 2.29 0.040 0.689 0.475

The information security

policy that is well

communicated to all

employees irrespective of

their ranks

4.50 0.036 0.612 0.375 2.19 0.045 0.769 0.591


policy that ensures regulatory

compliance with various

privacy and security laws

4.57 0.035 0.602 0.363 2.01 0.043 0.737 0.543


policy that regularly reviewed

and updated

4.48 0.036 0.606 0.367 1.65 0.051 0.874 0.763


The result of the descriptive analysis of the information security policy directives is

shown in Table 4. As for the perceived importance, the highest mean is for item “Clear

directives for the protection of stakeholder‟s information” and followed by “Clear directives

on the handling of information security incidents”. As for the perceived implementation, the

highest mean is for item that reads “Clear directives on the handling of information security

incidents” and followed by “Clear directives on the prevention of information security

breaches”. Overall, between perceived importance and perceived implementation, the mean

difference is 2.76. Respondents in general believed that all of the listed items measuring

information security policy directives were important but not well implemented in their

organizations.

Table 4 Descriptive Statistics of Information Security Policy Directives

Items


Mean Std

Error

Std

Dev

Variance Mean Std

Error

Std

Dev

Variance

Clear directives for the

protection of stakeholder‟s

information

4.71 0.035 0.594 0.353 1.62 0.055 0.944 0.890

Clear directives on the

handling of information

security incidents

4.70 0.034 0.584 0.340 2.18 0.041 0.709 0.502

Clear directives on the

prevention of information

security breaches

4.50 0.037 0.629 0.395 2.01 0.039 0.658 0.433

Clear directives for the

compliance of organization‟s

policy and procedures

4.60 0.035 0.604 0.365 1.68 0.051 0.876 0.768


To recall, information security monitoring perceptions is defined as the perception

regarding monitoring and disciplinary action in relation to information security practices.

Four items were used to measure this variable and the results of the descriptive analysis are

portrayed in Table 5. As for perceived importance, all items recorded mean values that are

greater than four while for perceived implementation, the overall mean score is 1.91.



Apparently, all of the listed four items were not well implemented in the participating

organization despite being perceived very important for the development of a solid ISC.

Table 5 Descriptive Statistics of Information Security Monitoring Perceptions

Items Perceived Importance Perceived Implementation

Mean Std

Error

Std

Dev

Variance Mean Std

Error

Std

Dev

Variance

Constant monitoring of

information security policy

compliance by all employees

4.74 0.035 0.606 0.367 2.09 0.040 0.680 0.462

Constant assessment

employee‟s key performance

indicators regarding

information security practices

4.34 0.036 0.618 0.382 2.02 0.039 0.663 0.439

Periodic study on the

employee‟s satisfaction

regarding information

security practices

4.35 0.038 0.653 0.426 1.76 0.042 0.720 0.518

Regular surveillance of

employees information

security practices

4.37 0.038 0.648 0.420 1.78 0.033 0.570 0.325


Based on the result shown in Table 6, it is quite apparent that respondents of the study felt

that making employees accountable for their actions that violated security policy is very

important. In the same light they also felt that it is equally necessary to take corrective actions

where there is a violation of information security policy. The respondents of the study also

indicated that it is important to penalize the employee for refusing to participate in

information security awareness activities and also who refuse to attend any of the information

security training. While all of the listed items measuring information security consequences

were perceived as important, they were however, not well practiced and implemented in the

participating organizations.

Table 6 Descriptive Statistics of Information Security Consequences

Items


Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

Making employees

accountable for their actions

that violates security policy

4.38 0.034 0.582 0.339 2.07 0.042 0.717 0.515

Taking corrective action for

non-compliance events

towards information security

policy

4.49 0.036 0.612 0.375 1.83 0.045 0.771 0.594

Penalizing the employee for

refusing to participate in


awareness activities

4.43 0.035 0.602 0.362 1.84 0.037 0.626 0.392

Penalizing the employee for

refusing to attend the

information security training

4.44 0.035 0.597 0.357 1.51 0.044 0.748 0.560


The overall mean for the perceived importance of information security responsibilities is

4.65, implying that the respondents of the study agreed that the items listed are indeed very

important for creating an ISC. Out of the four items, two items scored a mean of 4.76,



namely, the item that reads “Entrusting the employee with responsibility for the protection of

organizational resources” and “Delegating greater authority to employees regarding

information security practices”. In terms of implementation, the mean scores for the four

items ranged between 1.59 and 2.01 (Table 7). These values suggest that information security

responsibilities are not in place in these participating organizations.

Table 7 Descriptive Statistics of Information Security Responsibilities

Items


Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

Entrusting the employee with

responsibility for the

protection of organizational

resources

4.76 0.034 0.582 0.339 2.01 0.035 0.601 0.361

Delegating greater authority

to employees regarding

information security practices

4.76 0.031 0.528 0.279 1.88 0.038 0.650 0.422

Creating specific designation

that oversee information

security practices

4.50 0.036 0.618 0.381 1.84 0.036 0.613 0.376

Involving employee in the

formulation of information

security policy

4.56 0.036 0.615 0.378 1.59 0.042 0.725 0.525


The importance of information security training in the creation of ISC has been well

established in many studies (Martins & Eloff, 2002; Whitman and Mattord, 2014). The

findings of this study as shown in Table 8 are quite comparable to previous studies. The

means score for the four listed items measuring trainings are well above four. However, in

terms of implementation the mean score for the four items are less than three. The overall

mean for perceived importance is 4.65 while the overall mean for the perceived

implementation is 1.82. The values suggest that huge gap exist between the perceived

importance and perceived implementation.

Table 8 Descriptive Statistics of Information Security Training

Items


Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

Making compulsory for all

employees to attend

information security training

4.80 0.029 0.487 0.237 2.09 0.038 0.654 0.428

Making employees to

participate in information

security awareness activities

4.60 0.033 0.557 0.310 2.02 0.040 0.676 0.456

Organizing information

security training and

awareness program

periodically for employees

4.62 0.032 0.552 0.305 1.77 0.043 0.739 0.547

Diversifying the mode of

delivery for information

security training (i.e. online

training, face to face lecture,

etc)

4.58 0.033 0.565 0.320 1.40 0.037 0.637 0.405




In terms of information security budget practices, the respondents of the study indicated

that allocating annual budget for information security spending and cost is equally important

to allocating annual budget for information security activities. In the same light they also

indicated that allocating annual budget for maintaining information security technologies is

also important. Unfortunately, when it comes to implementation, it is still not in place. The

overall mean for perceived implementation is 1.97, suggesting that much effort is needed in

order to make these organizations allocate appropriate budget for information security (Table

9).

Table 9 Descriptive Statistics of Information Security Budget Practices

Items


Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

Allocating annual budget for


spending and cost

4.73 0.033 0.579 0.335 2.10 0.037 0.637 0.406



activities

4.39 0.035 0.597 0.356 1.98 0.040 0.678 0.460


maintaining information

security technologies

4.46 0.035 0.605 0.366 1.84 0.041 0.700 0.491


Table 10 depicts the descriptive statistics of information security investment. Three items

being used and the item that reads “Investing significantly on information security resources”

scored the highest mean for perceived implementation. The overall mean for perceived

implementation is 4.56 as compared to 1.82 for perceived implementation. The item that reads

“Investing human resources to produce expert in information security” has the lowest mean

score for perceived implementation, suggesting that these participating organizations fall short

of experts in information security.

Table 10 Descriptive Statistics of Information Security Investment

Items


Mean Std

Error

Std

Dev Variance Mean

Std

Error

Std

Dev Variance

Investing significantly on


resources

4.80 0.029 0.492 0.242 2.13 0.041 0.704 0.496

Investing significantly on

information security training 4.38 0.034 0.588 0.346 1.86 0.035 0.598 0.357

Investing human resources to

produce expert in information

security

4.49 0.035 0.589 0.347 1.46 0.040 0.690 0.476


Three items measuring information technology capability are presented In Table 11. Item

that reads “Technological capability that is benchmarked against best practices in the

industry” scored the highest mean value for the perceived importance. This is followed by

item that reads “Technological capability that increases employees‟ performance towards

compliance of policies”. The overall mean for perceived importance is 4.56 as compared to

2.09 for the perceived implementation. Item that reads “Information security technology that

is flexible and expandable” scored the lowest mean for the perceived capability.



Table 11 Descriptive Statistics of Information Technology Capability

Items


Mean Std


Std


Technological capability that is

benchmarked against best

practices in the industry

4.72 0.033 0.558 0.311 2.21 0.043 0.727 0.528

Technological capability that

increases employees‟

performance towards

compliance of policies

4.48 0.036 0.617 0.381 2.15 0.041 0.699 0.488

Information security

technology that is flexible and

expandable

4.47 0.035 0.594 0.353 1.91 0.037 0.636 0.404


Table 12 showcases the results of the descriptive analysis of information technology

compatibility. Between perceived importance and perceived implementation, the overall mean

score is higher for the former compared to the later. As for the perceived importance, the

respondents of the study had apparently rated the three items well above the mid-point values.

In contrast, the mean scores for the three items were less than 2.00 for the perceived

implementation. The results simply suggest that despite the perception that information

technology is important for establishing ISC, its implementation is still not in place.

Table 12 Descriptive Statistics of Information Technology Compatibility

Items


Mean Std


Std



technology that is compatible

with the organizational

standard operating procedure

4.82 0.026 0.447 0.199 1.60 0.056 0.952 0.907


technologies that is compatible

with employees‟ work design

4.73 0.030 0.515 0.265 1.94 0.040 0.686 0.470


technology that reduce the

risks of information security

breaches

4.74 0.030 0.513 0.264 1.59 0.049 0.839 0.704


Table 13 Paired Samples Statistic

Variable Mean Std Dev Std

Error

t df Sig

IS Commitment 2.60 0.945 0.055 47.049 291 0.000

IS Importance 2.47 0.862 0.051 49.041 291 0.000

IS Policy Effectiveness 2.54 0.748 0.044 58.014 291 0.000

IS Directives 2.75 0.784 0.046 60.054 291 0.000

IS Monitoring Perception 2.53 0.684 0.040 63.338 291 0.000

IS Consequences 2.62 0.716 0.042 62.560 291 0.000

IS Responsibility 2.82 0.665 0.039 72.427 291 0.000

IS Training 2.83 0.587 0.034 82.366 291 0.000

IS Budget Practice 2.56 0.665 0.039 65.623 291 0.000

IS Investment 2.74 0.636 0.037 73.671 291 0.000

IS Technology Capability 2.47 0.737 0.043 57.166 291 0.000

IS Technology Compatibility 3.05 0.822 0.048 63.472 291 0.000



Table 13 presents the results of the paired sample t-test between perceived importance and

perceived implementation. The p-values for all variables are less than 0.05 indicating that the

difference between perceived importance and perceived implementation is significant. As

already discussed in previous sections, the mean score of perceived importance is far greater

compared to perceived implementation.

5. DISCUSSION

The requirements and the characteristics of ISC differ from one organization to other

organization (Masrek, 2017). The finding of this study has shown that in the context of public

organizations, management support, policy and procedures, compliance, awareness, budget

and technology are the important elements for developing ISC. However, the finding also

showed that these elements were not appropriately in place. ISC starts from the top

management. Hone & Eloff (2002) stated that if the top management do really understand the

need of information security in organization, they will put efforts into enforcing it and

employees will be more involved Apparently, the findings of this study suggest that top

management is not engaged, or perhaps not at all familiar with concept of information

security. Martin & Eloff (2002) asserted that management needs to model the correct

behaviour since it will become accepted as the way in which things are done and will be the

reference for employee behaviour, which will later develop in a certain culture into the

organizations.

Da Veiga (2015) pointed out that the information security policy is a critical success

factor for the establishment of an ISC in an organisation. Information security policy is a

written, living document outlining the actions and procedures that employees should follow in

order to protect an organization‟s information security assets (Siponen & Iivari, 2006).

Latham (2013) stated that, in order to make sure that the organization information security

policy is useful, policy documents must be developed that fit the organization culture. Despite

the importance of information security policy, it is still not widely practiced in the

participating organizations.

Antoniou (2015) stated that if employees do not comply with an information security

policy, the safety of the organization‟s information assets may be compromised. Perhaps, that

is why Puhakainen & Siponen (2010) stressed that the issue of employee compliance to

information security policy is one of the greatest risks to the safety of an organization‟s

information assets. Herath & Rao (2009) explained that an information security policy that are

complicated and varied could be the reason why employee refused to comply. Some

employees also feel that complying to information security is too time-consuming, pointless

or complex (Antoniou, 2015). This situation necessitates the need to have continuous

monitoring (Xiao-yan, Yu-quing, & Li-Leia, 2011). As presented in the findings section, the

respondents acknowledged the importance of compliance but in the context of their

organization, they admitted that these have yet to be successfully implemented.

The ISO17799 (ISO 2005) standard states that „„providing appropriate training, education

and awareness‟‟ is critical to the successful implementation of information security. This is

because the effectiveness of information security controls depends on the people who are

implementing and using it (Martins & Eloff, 2002). Hence, through awareness and training,

the employees will be equipped with the necessary skills and knowledge of information

security. Whitman and Mattord (2014) suggested that training for users should be customized,

depending on the functional background and this method include training for general users,

training for managerial users, and training for technical users. Almost consistent to Connolly,



Lang & Tygar (2014), this study found that awareness and training is either not provided or

poorly organized.

Having a sufficient budget is a crucial aspect to the implementation of information

security (Dinnie,1999). Bjorck (2001) defined budget as a financial facility that can estimate

the costs and evaluate the access needed to the resources to accomplish successful

implementation of information security. Security budget can include (i) technical cost, both

hardware and software such as antivirus and firewalls and (ii) education which covers

trainers, contents and learning platforms. Beebe, Young & Chang (2014) noted that “top-level

management consider information security investment requests amid competing funding

requests across their organizations and they often have to make trade-off decisions amidst

limited budgets”. Their study concluded that organizations are typically inclined to take more

risks than to invest in information security to prevent loss-based consequences (Beebe, Young

& Chang, 2014). Similar to the findings of Beebe, Young & Chang (2014), this study also

discovered that the participating organizations did not have appropriate budget allocations for

information security.

IT capability can be defined “as the ability of firm to selects, accepts, configures and

implements IT” (Turulja & Bajgorićwhile, 2016) while IT compatibility is the degree of

perceived ease of use for IT software when integrates with related IT facilities, work culture,

values, and organizational practices (Ghobakhloo et al., 2012). According to Shrivastava

(2016) “in order to reap maximum benefits from any IT investments, the IT infrastructure

must be optimized, benchmarked and its value to business quantifiable and that is why

security plays an important role during the optimization process”. Skopik, Settanni & Fiedler

(2016) stated that IT compatibility, both hardware and software are crucial in information

security implementation. Alkasasbeh (2014) study showed that there was direct relationship

between effect of IT capabilities and implementation of security information management

systems in Jordanian banks. The finding of this study indicates that the technology

components, namely capability and compatibility are not well addressed in the development

of ISC.

6. CONCLUSIONS

The conduct of this study has been to identify the components perceived as important for

developing ISC in the context of Malaysian public organization and to identify the state of

practice in relation to the components of ISC perceived as important. In addition, the aim of

the study is to examine the gap between perceived importance and perceived implementation

in terms of the ISC components. The results of the study have shown management support,

policy and procedures, compliance, awareness, budget and technology are important in

developing ISC. However, all of these components are not in place in these participating

organizations. The findings also indicate that the gap between the ideal level and the current

state of implementation in terms of ISC components is very large and significant.

This study has shown that in order to develop and ISC, practitioners have to focus on the

following factors: management support, policy and procedures, compliance, awareness,

budget and technology. As for the participating organizations, much effort needs to be done to

address the lack of the aforementioned factors. The top management may need to attend

various workshops or seminars on information security so as to increase their awareness and

understanding on the need and the importance of developing ISC. Probably, after having the

right understanding, the top management will start to initiate planning and strategies geared

towards the development of ISC. In addition, they will also start looking into developing



information security policy into their organizations and allocate appropriate budget for

training and awareness activities for the employee.

Just like any other studies, this study is also flawed with several limitations. The first is

related to the time horizon of the data collection. As this is a cross sectional study, the

accuracy of the data may not be as precise if the data were to be collected in a longitudinal

setting. Secondly, the unit of analysis was organization where only one representative of the

organization was engaged to provide the data. For a study focusing on culture, multi

respondents for any given organization would be a better choice as their responses would be

aggregated and that will provide a more accurate answer.

ACKNOWLEDGEMENT

The researcher would like to extend our thanks and appreciation to Universiti Teknologi

MARA (UiTM) and the Ministry of Higher Education (MoHE) Malaysia for funding the

project under the Fundamental Research Grant Scheme, file no:

FRGS/1/2016/SS09/UITM/02/2.

REFERENCES

[1] AlHogail, A, and Mirza, A. (2015). Organizational Information Security Culture

Assessment. Proceedings of the International Conference on Information Security and

Management SAM2015. 286-292.

[2] Alkasabeh, A.A. (2014). The Effect of Information Technology Capabilities in

Implementing Information Security Management Systems. European Scientific Journal,

10(18), 377-385.

[3] Anderson, J. (2003). Why we need a new definition of information security. Computers

and Security, 22(4), 308-313.

[4] Antoniou, G.S. (2015). Designing an effective information security policy for exceptional

situations in an organization: An experimental study. Doctoral dissertation. Nova

Southeastern University. Retrieved from NSUWorks, College of Engineering and

Computing. (949) http://nsuworks.nova.edu/gscis_etd/949.

[5] Beebe, N.L., Young, D.K. and Chang, N.R. (2014). Framing Information Security Budget

Requests to Influence Investment Decisions. Communications of the Association for

Information Systems, 35(7). 133-143.

[6] Björck F. (2001) Implementing Information Security Management Systems. In: Eloff

J.H.P., Labuschagne L., von Solms R., Dhillon G. (eds) Advances in Information

Security Management & Small Systems Security. IFIP International Federation for

Information Processing, vol 72. Springer, Boston, MA.

[7] Brown, A. (1998). Organisational Culture. (2nd

ed). London: Pitman Publishing.

[8] Bryman, A., & Bell, E. (2015). Business research methods (4th ed.). United Kingdom:

OUP Oxford.

[9] Charumbira, L.T. (2013). The Philosophical and Methodological Approaches Used by

Sport and Business Management Student Researchers in Zimbabwe. Global Journal of

Commerce and Management Perspectives, 2(6), 51-56.

[10] Connolly, L., Lang, M. and Tygar, D. (2014). Managing Employee Security Behaviour in

Organisations: The Role of Cultural Factors and Individual Values. Proceedings of 29th

IFIP International Information Security Conference (SEC), Jun 2014, Marrakech,

Morocco.

http://nsuworks.nova.edu/gscis_etd/949



[11] Da Veiga, A. (2015). The Influence of Information Security Policies on Information

Security Culture: Illustrated through a Case Study. Proceedings of the Ninth International

Symposium on Human Aspects of Information Security & Assurance (HAISA 2015).

[12] Da Veiga, A. and Eloff, J.H. (2010). A Framework and Assessment Instrument For

Information Security Culture, Computers & Security, 29(2), 196-207.

[13] Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. Danvers:

John Wiley & Sons.

[14] Dinnie, G. (1999). The Second Annual Global Information Security Survey. Information

Management & Computer security, 7(3), 112-120.

[15] Eloff, M. M., & Von Solms, S. H. (2000). Information security management: An approach

to combine process certification and product evaluation. Computers & Security, 19(8),

698–709.

[16] Ghobakhloo, M, Hong, T., Sabouri, M., and Zulkifli, N. (2012). Strategies for Successful

Information Technology Adoption in Small and Medium-Sized Enterprises.

Information, 3, 36-67.

[17] Herath, T., and Rao, H. R. (2009). Encouraging Information Security Behaviors in

Organizations: Role of Penalties, Pressures and Perceived Effectiveness. Decision Support

Systems, 47(2), 154-165.

[18] Hone, K. & Eloff, J. (2002). What Makes an Effective Information Security Policy?

Network Security, 2(6), 14-16.

[19] ISO. 2005. Information technology. Security techniques. Code of practice for information

security management. ISO/IEC 17799 (BS 7799 1: 2005).

[20] IT Governance Institute (2001). Information Security Governance: Guidance for Board of

Directors and Executive Management, Information Systems Audit and Control Foundation

(ISACF).

[21] Latham, R. (2013) Information Management Advice 35: Implementing Information

Security. Retrieved 4 August 2018, from:

https://www.informationstrategy.tas.gov.au/Records-Management-

Principles/Document%20Library%20%20Tools/Advice%2035%20Implementing%20Info

rmation%20Security%20Part%204%20-%20IS%20Policy.pdf

[22] Martins, A. and Eloff, J. (2002). Information security culture. In Security in the

information society, Boston: Kluwer Academic Publishers, 203–214.

[23] Martins, N. and Da Veiga, A. (2015). An Information Security Culture Model Validated

with Structural Equation Modelling. Proceedings of the Ninth International Symposium

on Human Aspects of Information Security & Assurance (HAISA 2015).

[24] Masrek, M.N. (2017). Assessing Information Security Culture: The Case of Malaysia

Public Organization. Proceeding of 2017 4th International Conference on Information

Technology, Computer, and Electrical Engineering (ICITACEE), Oct 18-19, 2017,

Semarang, Indonesia.

[25] Mathiyazhagan, T. and Nandan, D. (2010). Survey Research Method. Media Mimansa,

National Institute of Family & Welfare, July-September 2010, New Delhi.

[26] Nieles, M., Dempsey, K. and Pillitteri, V.Y. (2017). An Introduction to Information

Security. NIST Special Publication 800-12 (Revision 1). National Institute of Standard

and Technology (NIST). Available Online https://doi.org/10.6028/NIST.SP.800-12r1

[27] Peltier, T.R., Peltier, J. and Blackley, J. (2005). Information Security Fundamentals. Boca

Raton, Florida: Auerbach Publications.

[28] Ponemon Institute (2017a). 2017 Cost of Data Breach Study. Global Overview.

https://www.informationstrategy.tas.gov.au/Records-Management-Principles/Document%20Library%20%20Tools/Advice%2035%20Implementing%20Information%20Security%20Part%204%20-%20IS%20Policy.pdf



https://doi.org/10.6028/NIST.SP.800-12r1



[29] Ponemon Institute (2017b). 2017 State of Cybersecurity in Small & Medium-Sized

Businesses (SMB).

[30] Puhakainen, P., and Siponen, M. (2010). Improving employees' compliance through

information systems security training: An action research study. MIS Quarterly, 34(4),

757-778.

[31] Rastogi, R., & von Solms, R., (2012). Information security service culture - information

security for end-users. Journal of Universal Computer Science, 18(12), 1628-1642.

[32] Rowley, J. (2014). Designing and using research questionnaires. Management Research

Review, 37(3), 308-330.

[33] Schein, E. H. (1999). The Corporate Culture Survival Guide. Jossey-Bass Inc.

[34] Schlienger, T. and Teufel, S. (2003). Information security culture-from analysis to change.

South African Computer Journal, 31, 46-52.

[35] Sekaran, U. and Bougie, R. (2010). Research Methods for Business: A Skill Building

Approach (5th ed). West Sussesx: John Wiley & Sons.

[36] Shrivastava, A.K. (2016). The Impact Assessment of IT Infrastructure on Information

Security: A Survey Report. Procedia Computer Science, 78, 314-322.

[37] Siponen, M., and Iivari, J. (2006). Six design theories for IS security policies and

guidelines. Journal of the Association for Information Systems,7(7), 445-472.

[38] Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A

Survey on The Dimensions of Collective Cyber Defense Through Security Information

Sharing. Computers & Security, 60, 154-176.

[39] Tan, R. and Nair, S. (2017, October 31). Malaysia Sees Biggest Mobile Data Breach. The

Star. Retrieved from https://www.thestar.com.my/news/nation/2017/10/31/msia-sees-

biggest-mobile-data-breach-over-46-million-subscribed-numbers-at-risk-from-scam-

attacks-an/

[40] Tolah, A. Furnell, S.M. and Papadaki (2017). A Comprehensive Framework for

Cultivating and Assessing Information Security Culture. Proceedings of the Eleventh

International Symposium on Human Aspects of Information Security & Assurance

(HAISA 2017).

[41] Turulja, L. and Bajgorić, N. (2016) Innovation and Information Technology Capability as

Antecedents of Firms‟ Success. Interdisciplinary Description of Complex Systems 14(2),

148-156.

[42] Von Solms, B. (2000). Information security - the third wave? Computers & Security,

19(7), 615–620.

[43] Whitman, M. & Mattord, H. (2014). Management of information security. Boston: Course

Technology Cengage Learning.

[44] Xiao-yan, G., Yu-quing, Y., & Li-Leia, L. (2011). An Information Security Maturity

Evaluation Mode. Procedia Engineering, 24(1), 335 – 339.

https://www.thestar.com.my/news/nation/2017/10/31/msia-sees-biggest-mobile-data-breach-over-46-million-subscribed-numbers-at-risk-from-scam-attacks-an/



assessing the information security culture in a …€¦ · to describe a situation where not only...

Documents